5 Replies Latest reply on Apr 26, 2013 11:00 AM by nicole pauls

    nDepth Timed Out

    anzjackson

      I run a lot of nDepth queries in LEM (I exclusively use the LEM web interface). We are currently tracking logs from 150ish sources. When I'm looking up specific stuff as old as even a week ago, it seems to time out a lot. Is there a way to change the timeout interval? We have the virtual appliance loaded with 8.0 GB of memory allocated, but are always under 4 GB being used. We have 85% logs/Data of the 234GB recommended. Any suggestions on making this run faster?

        • Re: nDepth Timed Out
          Chrystal Taylor

          What about your CPUs?  What is that reserved for?

           

          Thanks,

          Chrystal Taylor

          http://www.loop1systems.com

            • Re: nDepth Timed Out
              anzjackson

              We've used the recommended settings, 2 CPUs at 2GHz, 8GB memory, 250 GB Hard Drive Space, etc.

                • Re: nDepth Timed Out
                  Chrystal Taylor

                  Do you have a high volume of logs per day coming in?  Another thing you can look at is check the default rules.  If you had a version of LEM prior to 5.5 there were a lot of default rules turned on by default.  If you see a lot of InternalRuleFired events and they are correlated to defaults that you don't care about, then I would recommend turning them off.  I have found in several environments that turning those off lessened the load significantly on the processors and sped up the nDepth searching due to the lessened load.

                   

                  Thanks,

                  Chrystal Taylor

                  http://www.loop1systems.com

                  1 of 1 people found this helpful
                    • Re: nDepth Timed Out
                      anzjackson

                      Yesterday, I had 54,356,578 log events captured. I don't think that's too high on 150+ servers, but then again, I'm new at LEM. I did check the default and NATO rules and they are all turned off. I only have about 20 rules enabled right now. I'm wondering what other factors it could be. Could it be too many alerts in queue on the appliance itself? Here's my diskusage from the CMC interface.

                      diskusage.png

                       

                      Thanks

                • Re: nDepth Timed Out
                  nicole pauls

                  If you're doing a search and it's timing out, you can adjust the default timeout in Manage > Appliances > Settings.

                   

                  Regarding rules, 20 of them doesn't sound like a lot, but if they are using broad things like "Any Event" that means the processing engine does have to monitor every event coming in to see if it's something to trigger on or not and can cause some bottlenecks. You're also not queuing data based on your diskusage shot (queues mean that the engine can't keep up with the processing) which is good, so it's more like your system CAN keep up. (Also, the RAM only hanging at 4GB likely means that there's not a huge number of events hanging around in memory, either.)

                   

                  Since the RAM never/rarely goes over 4GB, what does your CPU look like on that system? Constantly using it all? Could it be a disk limitation?